OAuth Grant Type JWT Bearer Flow

1
votes

We are working on the use-case where we need to use authorization using OAuth Grant Type JWT Bearer Flow.

At a high level, what we know is that the grantype( grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) should be passed along with the jwt assertion for obtaining the access token.

Questions :
1. What kind of use-case fits for this kind of grant type ?

2 .Who would create a jwt assertion ? Is it something custom, that should be implemented based on the successful authentication of a user.

3.What are the validations that should be done on JWT assertions and access tokens?

  1. Can anyone explain the whole flow with sample.
1
oauth-2.0

1 Answers

2
votes

This grant type flow can be used for the following cases:

  1. The JWT is issued by the client itself: this claim iss (issuer) and sub (subject) refer to the client ID. As the subject is the client, it can be compared to the Client Credentials grant type flow. This is very useful for clients that don’t want to expose their credentials.

  2. The JWT is issued by a trusted third party (trusted by the authorization server): in this case the subject could be the client itself, another client or a end user.

The section 3 of the RFC7523 is quite clear regarding the claims to check:

  • The iss: the issuer of the token (client or trusted 3rd party)
  • The aud: should contain at least the authorization server. For case 2., should also contain the client ID
  • The sub: the subject corresponds to the resource owner
  • The exp: expiration time
  • If present, other claims such as the iat, nbf, jti or custom claims should be checked and understood.
  • The signature of the JWT depending on the issuer.